Updated firewall page with up to date details

ShadowArcanist · ShadowArcanist · commit 7025b5b0b630 · 2025-06-25T01:09:24.000+05:30
diff --git a/docs/knowledge-base/server/firewall.md b/docs/knowledge-base/server/firewall.md
@@ -1,71 +1,102 @@
 ---
 title: "Firewall"
-description: "A list of ports that need to be open on your firewall for Coolify to work properly."
+description: "Learn which network ports need to be open for Coolify to work properly in self-hosted or cloud environments, including firewall setup tips and GitHub integration requirements."
 ---
 
 # Firewall
-## Self-hosted version
+Coolify requires specific network ports to be open in order to function properly across various environments. These ports enable web access, SSH connections, terminal sessions, and real-time communication. 
 
-For self-hosting Coolify, you need to allow some ports on your firewall.
+The required ports may vary slightly depending on whether you're using a self-hosted setup or the managed version ([Coolify Cloud](https://coolify.io/pricing/)).
 
-- For Coolify: `8000` (http), `6001` (websocket), `6002` (terminal), and `22` (SSH, or a custom port) (required)
+
+## Coolify Self-hosted
+To ensure proper functionality when self-hosting Coolify, the following ports should be opened:
+
+* **8000** – HTTP access to the Coolify dashboard
+* **6001** – Real-time communications
+* **6002** – Terminal access (Required for Coolify version 4.0.0-beta.336 and above)
+* **22** – SSH access (or your custom SSH port)
+* **80** – SSL certificate generation via reverse proxy (Traefik or Caddy)
+* **443** – HTTPS traffic
+
+These ports are required if you're accessing Coolify directly using your server’s IP address (e.g., `http://<SERVER_IP>:8000`).
 
 ::: success Tip
-  8000, 6001, 6002 can be closed when accessing Coolify through a domain and using the integrated reverse proxy (Traefik or Caddy).
+If you're using a custom domain with Coolify’s integrated reverse proxy (Traefik or Caddy), you can safely close ports **8000**, **6001**, and **6002** after accesing the dashboard from your custom domain.
 :::
 
-- Reverse Proxy: `80, 443` (optional)
-
 ::: warning Caution
   If you are using `Oracle Cloud Free ARM Server`, you need to allow these ports
   inside Oracle's Dashboard, otherwise you cannot reach your instance from the
   internet after installation.
 :::
 
-### How to block ports 8000, 6000, 6001
 
-As long as you have access outside of http port 8000, uou can add the following `/data/coolify/source/docker-compose.custom.yml`:
+## Coolify Cloud
+For Servers connected to Coolify Cloud, the following ports must be open:
 
-```
-services:
-  coolify: # blocks external 8000
-    ports: !reset []
-  soketi:   # blocks external 6001, 6002
-    ports: !reset []
-```
+* **22** – SSH access (or your custom SSH port)
+* **80** – SSL certificate generation via reverse proxy (Traefik or Caddy)
+* **443** – HTTPS traffic
 
-Then run [installation](https://coolify.io/docs/get-started/installation) again. You can check these ports with nmap from your local machine to be sure they're closed.
+These are the only required ports, as all other services are managed for you by Coolify Cloud.
 
-```
-nmap -Pn -p 8000,6001,6002 <your coolify IP>
-```
 
-### Other options
-You can use your vendor firewall (ex. Digital Ocean etc) as another layer of protection, because Docker apps sometimes break through. UFW unbeknownst to you. If you don't want to use vendor firewall, you can also try [ufw-docker](https://github.com/chaifeng/ufw-docker).
 
+## Closing Ports Using a Firewall
+Coolify runs on Docker, which uses NAT-based iptables rules that can bypass traditional Linux firewalls like UFW. As a result, blocking ports using UFW alone will not be effective.
 
-### GitHub integration
-- [Detailed Guide](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses).
+### Recommended Approach
+Most cloud providers offer integrated firewalls through their dashboards. If your provider supports this, **it is highly recommended to use their firewall settings** to manage open ports instead of relying on local tools like UFW.
 
-#### Webhooks
-You need to allow TCP port `80` and `443` for GitHub webhooks.
+If your provider does not offer firewall functionality, you can use one of the following advanced methods:
 
-To specify the IP addresses (optional), you can use the following API endpoint to get them:
+### Coolify Self-hosted
+::: danger CAUTION!!
+  Modifying firewall settings incorrectly may lead to access issues that are difficult to recover from. 
+  
+  Proceed with the following steps **only if necessary**, and if you fully understand the implications.
+:::
 
-- https://api.github.com/meta - Check `hooks` section.
 
-### Terminal
+#### Option 1: Use `ufw-docker`
+[ufw-docker](https://github.com/chaifeng/ufw-docker) is a community-maintained tool that helps bridge UFW and Docker by allowing you to block specific ports effectively. Refer to the [GitHub repository](https://github.com/chaifeng/ufw-docker) for complete setup instructions
 
-Since 4.0.0-beta.336, you need to allow TCP port `6002` for terminal access on `/terminal` endpoint.
+#### Option 2: Prevent Coolify From Listening on External Ports
+You can stop Coolify from exposing ports by editing the `docker-compose.custom.yml` file:
 
-::: success Tip
-  If you are using the integrated reverse proxy (Traefik or Caddy), the terminal is accessible on `https://your-domain.com/terminal` with dynamic proxy configuration.
-:::
+```yaml
+services:
+  coolify: # disables external access to port 8000
+    ports: !reset []
+  soketi:  # disables external access to ports 6001 and 6002
+    ports: !reset []
+```
+
+After making these changes, re-run the [Coolify install script](https://coolify.io/docs/get-started/installation) to apply the updated configuration.
+
+You can verify that the ports are closed using `nmap` from your local machine:
+
+```bash
+nmap -Pn -p 8000,6001,6002 <SERVER_IP>
+```
+
+---
+
+### Coolify Cloud
+For servers connected to Coolify Cloud, only the SSH port (typically **22**) needs to be open for remote management.
+
+If you wish to restrict access based on IP address, we have a list of public IPs used by Coolify Cloud:
+
+* [IPv4 addresses](https://coolify.io/ipv4.txt)
+* [IPv6 addresses](https://coolify.io/ipv6.txt)
 
+Coolify Cloud’s IPs rarely change, but users will be notified by email if updates occur.
 
-## Cloud version
 
-If you need the public facing IPs to allow inbound connections to your servers, here is an up-to-date list of IPs that you can use to whitelist:
+### GitHub Integration
+GitHub uses webhooks to communicate with Coolify. For this to work correctly:
+* Ensure **TCP ports 80 and 443** are open.
+* (Optional) To restrict webhook access by IP, you can get the current list of GitHub’s outbound IPs from: https://api.github.com/meta (Check the `hooks` section)
 
-- https://coolify.io/ipv4.txt
-- https://coolify.io/ipv6.txt
+For more details, refer to their [documentation](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/about-githubs-ip-addresses)
